====== Migration ======

<WRAP round tip>
**Priority 3** - For existing PKI infrastructures \\
**Target audience:** PKI Administrators, Security Architects
</WRAP>

Strategies and runbooks for migrating from classic to post-quantum-capable PKI infrastructures.

----

===== Overview =====

<mermaid>
flowchart LR
    subgraph CLASSIC["CLASSIC"]
        C1[RSA-2048]
        C2[ECDSA P-256]
    end

    subgraph HYBRID["HYBRID"]
        H1[RSA + ML-DSA]
        H2[ECDSA + ML-DSA]
    end

    subgraph PQ["POST-QUANTUM"]
        P1[ML-DSA-65]
        P2[ML-DSA-87]
    end

    C1 --> H1 --> P1
    C2 --> H2 --> P2

    style CLASSIC fill:#ffebee
    style HYBRID fill:#fff3e0
    style PQ fill:#e8f5e9
</mermaid>

----

===== Migration Paths =====

| Path | Description | Risk | Duration |
|------|-------------|------|----------|
| **Classic -> Hybrid** | Gradual migration with backward compatibility | Low | 6-12 months |
| **Parallel Operation** | Two PKIs simultaneously | Medium | 3-6 months |
| **Big Bang** | Complete switchover | High | 1-3 months |

----

===== Scenarios =====

^  Scenario  ^  Description  ^  Risk  ^
| [[.:classic-to-hybrid|Classic -> Hybrid]] | Migrate RSA/ECDSA to hybrid mode | Medium |
| [[.:parallel-betrieb|Parallel Operation]] | Operate classic + PQ simultaneously | Low |
| [[.:rollback-strategie|Rollback Strategy]] | Plan and test emergency fallback | - |
| [[.:inventur|Certificate Inventory]] | Inventory of all certificates | Low |

----

===== Migration Phases =====

<mermaid>
gantt
    title PKI Migration Timeline
    dateFormat  YYYY-MM
    section Preparation
    Inventory          :a1, 2024-01, 1M
    Risk Analysis      :a2, after a1, 1M
    Test Environment   :a3, after a2, 2M
    section Pilot
    Pilot Group        :b1, after a3, 2M
    Evaluation         :b2, after b1, 1M
    section Rollout
    Infrastructure     :c1, after b2, 2M
    Server Certs       :c2, after c1, 3M
    Client Certs       :c3, after c2, 3M
    section Completion
    Monitoring         :d1, after c3, 1M
    Classic deactivate :d2, after d1, 1M
</mermaid>

----

===== Decision Tree =====

<mermaid>
flowchart TD
    A[Start migration] --> B{New PKI or existing?}
    B -->|New| C[Direct PQ/Hybrid]
    B -->|Existing| D{Compatibility requirement?}
    D -->|High| E[Parallel operation]
    D -->|Medium| F[Hybrid migration]
    D -->|Low| G[Big Bang]
    E --> H[Operate both PKIs]
    F --> I[Gradual upgrade]
    G --> J[Complete replacement]

    style C fill:#e8f5e9
    style F fill:#fff3e0
    style G fill:#ffebee
</mermaid>

----

===== Prerequisites =====

| Component | Requirement |
|-----------|-------------|
| OpenSSL | 3.6+ (PQ support) |
| Clients | Hybrid-capable TLS stacks |
| HSM | PQ algorithms supported |
| Monitoring | Dual-mode alerting |

----

===== Related Documentation =====

  * [[en:int:pqcrypt:business:migration-roadmap|Business Migration Roadmap]] - Strategic planning
  * [[en:int:pqcrypt:developer:migration|Developer Migration]] - Code adjustments
  * [[en:int:pqcrypt:konzepte:start|Crypto Modes]] - Hybrid vs. PQ

----

<< [[..:start|<- Operator Scenarios]] | [[.:classic-to-hybrid|-> Classic -> Hybrid]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>operator migration hybrid pq legacy}}